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Strong password-only authenticated key exchange 
David P. Jablon 

October 1996 ACM SIGCOMM Computer Communication Review, volume 26 issue 5 
Publisher: ACM Press 

Full text available: '^ pdf(1.52 MB) Additional Information: full citation , abstract , citings , index terms 

A new simple password exponential key exchange method (SPEKE) is described. It 
belongs to an exclusive class of methods which provide authentication and key 
establishment over an insecure channel using only a small password, without risk of 
offline dictionary attack. SPEKE and the closely-related Diffie-Hellman Encrypted Key 
Exchange (DH-EKE) are examined in light of both known and new attacks, along with 
sufficient preventive constraints. Although SPEKE and DH-EKE are similar, the constraints 
a ... 

Paranoid penguin: two-factor authentication 
Corey Steele 

November 2005 Linux Journal, volume 2005 issue i39 
Publisher: Specialized Systems Consultants, Inc. 

Full text available: p) htmin7.28 KB) Additional Information: full citation , abstract , index terms 



Unified login with pluggable authentication nnodules (PAM) 
Vipin Samar 

January 1996 Proceedings of the 3rd ACM conference on Computer and 
communications security 

Publisher: ACM Press 

Full text available: ^ pdfn.12MB) Additional Information: full citation , references , index tenms 



Integratin g security in a large distributed system 
M, Satyanarayanan 

August 1989 ACM Transactions on Computer Systems (TOCS), volume 7 issue 3 
Publisher: ACM Press 

Additional Information: full citation , abstract , references , citings, index 
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terms , review 

Andrew is a distributed computing environment tliat is a synthesis of the personal 
computing and timesharing paradigms. When mature, It is expected to encompass over 
5,000 workstations spanning the Carnegie Mellon University campus. This paper examines 
the security issues that arise in such an environment and describes the mechanisms that 
have been developed to address them. These mechanisms include the logical and physical 
separation of servers and clients, support for secure communication ... 



5 Protecting applications with transient authentication 
Mark D. Corner, Brian D. Noble 

May 2003 Proceedings of the 1st international conference on Mobile systems, 
applications and services MobiSys *03 

Publisher: ACM Press 

Full text available: ^ pdf(294.40 KB) Additional Information: full citation , abstract, references 

How does a machine know who is using it? Current systems authenticate their users 
infrequently, and assume the user's identity does not change. Such persistent 
authentication is inappropriate for mobile and ubiquitous systems, where associations 
between people and devices are fluid and unpredictable. We solve this problem with 
Transient Autfientication, in which a small hardware token continuously authenticates the 
user's presence over a short-range, wireless link. We present the fo ... 




Unlinkable serial transactions: protocols and applications 
Stuart G. Stubblebine, Paul F, Syverson, David 1^. Goldschlag 

November 1999 ACM Transactions on Information and System Security (TISSEC), 

Volume 2 Issue 4 
Publisher: ACM Press 

Full text available: IS! pdfd 84.87 KB) Additional Information: full citation , abstract , references, citings, index 
. IsaH i tenns . review 

We present a protocol for unlinkable serial transactions suitable for a variety of network- 
based subscription services. It is the first protocol to use cryptographic blinding to enable 
subscription services. The protocol prevents the service fronn tracking the behavior of its 
customers, while protecting the service vendor from abuse due to simultaneous or cloned 
use by a single subscriber. Our basic protocol structure and recovery protocol are robust 
against failure in protocol termination. ... 

Keywords: anoymity, blinding, cryptographic protocols, unlinkable serial transactions 



Authentication and authorization: Securing passwords against dictionary attacks 
Benny Pinkas, Tomas Sander 

Novennber 2002 Proceedings of the 9th ACM conference on Computer and 

communications security 
Publisher: ACM Press 

Full text available- IS! Ddf(21 6 72 KB) Additional Information: full citation, abstract , references , citings , index 
. igyH = terms 

The use of passwords is a major point of vulnerability in computer security, as passwords 
are often easy to guess by automated programs running dictionary attacks. Passwords 
remain the most widely used authentication method despite their well-known security 
weaknesses. User authentication is clearly a practical problem. From the perspective of a 
service provider this problem needs to be solved within real-world constraints such as the 
available hardware and software infrastructures. From a user' ... 



Evaluatin g interaction: research papers: Design and evaluation of a shoulder-surfing 
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Susan Wiedenbeck, Jim Waters, Leonardo Sobrado, Jean-Camille Birget 
May 2006 Proceedings of the working conference on Advanced visual interfaces AVI 
'06 

Publisher: ACM Press 

Full text available: Q pdf(523.36 KB) Additional Information: full citation , abstract , references , index terms 

When users input their passwords in a public place, they may be at risl< of attackers 
stealing their password. An attacker can capture a password by direct observation or by 
recording the individuars authentication session. This is referred to as shoulder-surfing 
and is a known risk, of special concern when authenticating in public places. Until 
recently, the only defense against shoulder-surfing has been vigilance on the part of the 
user. This paper reports on the design and evaluation of a gam ... 

Keywords: authentication, convex hull click scheme, graphical passwords, password 
security, shoulder-surfing, usable security 



Security and usability: the case of the user authentication methods 
Christina Braz, Jean-Marc Robert 

April 2006 Proceedings of the 18th international conference on Association 
Francophone d'Interaction Homme-Machine IHM '06 

Publisher: ACM Press 

Full text available: ^ pdf(292.60 KB) Additional Information: full citation , abstract , references , index terms 

The usability of security systems has become a major issue in research on the efficiency 
and user acceptance of security systems. The authentication process is essential for 
controlling the access to various resources and facilities. The design of usable yet secure 
user authentication methods raises crucial questions concerning how to solve conflicts 
between security and usability goals. 

Keywords: access control, human factors, security usability, user authentication, user 
interface design 



''O Security: Zero-interaction authentication 
Mark D. Corner, Brian D. Noble 

September 2002 Proceedings of the 8th annual international conference on Mobile 

computing and networking 
Publisher: ACM Press 

Full text available- Ddf(273 30 KB) Additional Information: full citation, abstract , references , citings , index 

terms 

Laptops are vulnerable to theft, greatly increasing the likelihood of exposing sensitive 
files. Unfortunately, storing data in a cryptographic file system does not fully address this 
problem. Such systems ask the user to imbue them with long-term authority for 
decryption, but that authority can be used by anyone who physically possesses the 
machine. Forcing the user to frequently reestablish his identity is intrusive, encouraging 
him to disable encryption. Our solution to this problem is Zero- ... 

Keywords: cryptographic file systems, mobile computing, stackable file systems, 
transient authentication 



'^^ Password hardening based on keystroke dynamics 
^ Fabian Monrose, Michael K. Reiter, Susanne Wetzel 

>r November 1999 Proceedings of the 6th ACM conference on Computer and 
communications security 
Publisher: ACM Press 
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c II* ^ I ^^^fiA nA hAo\ Additonal Information: full citation , abstract , references , citinas . index 

Full text available: 1g3 pdf(1.01 MB) ; ' * ' 

terms 

We present a novel approach to Improving the security of passwords. In our approach, 
the legitimate user's typing patterns (e.g., durations of keystrokes, and latencies between 
keystrokes) are combined with the user's password to generate a hardened password that 
is convincingly more secure than conventional passwords against both online and offline 
attackers. In addition, our scheme automatically adapts to gradual changes in a user's 
typing patterns while maintaining the s ... 

12 General storage protection techniques: Securing distributed storage: challenges, 
techniques, and systems 
Vlshal Kher, Yongdae Kim 

November 2005 Proceedings of the 2005 ACM workshop on Storage security and 
survivability StorageSS '05 

Publisher: ACM Press 

Full text available: ^ pdf(294.61 KB) Additional Information: full citation , abstract , references , index terms 

The rapid increase of sensitive data and the growing number of government regulations 
that require longterm data retention and protection have forced enterprises to pay serious 
attention to storage security. In this paper, we discuss important security issues related 
to storage and present a comprehensive survey of the security services provided by the 
existing storage systems. We cover a broad range of the storage security literature, 
present a critical review of the existing solutions, compare ... 

Keywords: authorization, confidentiality, integrity, intrusion detection, privacy 



Security through the eyes of users: Hardening Web browsers against man-in-the- 
^ middle and eavesdropping attacks 
^ Haidong Xia, Jose Carios Brustoloni 

May 2005 Proceedings of the 14th international conference on World Wide Web 
WWW '05 

Publisher: ACM Press 

Full text available: ^ pdf(770.11 KB) Additional Information: full citation , abstract , references , index terms 

Existing Web browsers handle security errors in a manner that often confuses users. In 
particular, when a user visits a secure site whose certificate the browser cannot verify, 
the browser typically allows the user to view and install the certificate and connect to the 
site despite the verification failure. However, few users understand the risk of man-in-the- 
middle attacks and the principles behind certificate-based authentication. We propose 
context-sensitive certificate verification (CSCV), w ... 

Keywords: HTTPS, SSL, Web browser, certificate, eavesdropping attack, just-in-time 
instruction, man-ln-the-middle attack, password, safe staging, well-in-advance instruction 



DIM frameworks: Federated identity management for protecting users from ID theft Q 
Paul Madsen, Yuzo Koga, KenjI Takahashi 

November 2005 Proceedings of the 2005 workshop on Digital identity management 
DIIW| '05 

Publisher: ACM Press 

Full text available: '^ pdft143.83 KB) Additional Information: full citation , abstract, references , index terms 

Federated identity management is sometimes criticized as exacerbating the problem of 
online identity theft, based as it is on the idea of connecting together previously separate 
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islands of identity information. This paper explores this conjecture, and argues that, while 
such linkages do undeniably increase the potential scope of a successful theft of identity 
information, this risk is more than offset by the much greater value federated identity, in 
combination with strong authentication, offers ... 

Keywords: federated identity, identity theft, phishing 



15 Implementing protocols via declarative event patterns 
Robert J. Walker, Kevin Viggers 

October 2004 ACM SIGSOFT Software Engineering Notes , Proceedings of the 12th 
ACM SIGSOFT twelfth international symposium on Foundations of 
software engineering SIGSOFT '04/FSE-12, volume 29 issue 6 
Publisher: ACM Press 

Full text available* ^ pdff145 61 KB) A^^'**^"^' Information: full citation , abstract, references , citings , index 

This paper Introduces declarative event patterns (DEPs) as a means to implement 
protocols while improving their traceability, comprehensibility, and maintainability. DEPs 
are descriptions of sequences of events in the execution of a system that include the 
ability to recognize properly nested event structures. DEPs allow a developer to describe a 
protocol at a high-level, without the need to express extraneous details. A developer can 
indicate that specific actions be taken when a given patte ... 

Keywords: aspect-oriented programming, comprehensibility/maintainability, context-free 
grammars, context-sensitive join points, event patterns, instrumentation, parsing, 
traceabllity 



The battle against phishing: Dynamic Security Skins Q 
Rachna Dhamija, J. D. Tygar 

July 2005 Proceedings of the 2005 symposium on Usable privacy and security 
SOUPS '05 

Publisher: ACM Press 

Full text available: ^ pdf(398.10 KB) Additional Information: full citation , abstract , references 

Phishing Is a model problem for Illustrating usability concerns of privacy and security 
because both system designers and attackers battle using user interfaces to guide (or 
misguide) users.We propose a new scheme, Dynamic Security Skins, that allows a remote 
web server to prove its Identity In a way that is easy for a human user to verify and hard 
for an attacker to spoof. We describe the design of an extension to the Mozilla FIrefox 
browser that implements this scheme. We present two novel Inte ... 




''^ Puzzles and users: A PIN-entry method resilient against shoulder surfing 
Volker Roth, Kal Richter, Rene Freidinger 

October 2004 Proceedings of the lltli ACM conference on Computer and 

communications security 
Publisher: ACM Press 

Full text available: ^ pdf(3Q1 .35 KB) Additional Information: full citation , abstract, references , index terms 

Magnetic stripe cards are in common use for electronic payments and cash withdrawal. 
Reported incidents document that criminals easily picl<pocket cards or sl<im them by 
swiping them through additional card readers. Personal identification numbers (PINs) are 
obtained by shoulder surfing, through the use of mirrors or concealed miniature cameras. 
Both elements, the PIN and the card, are generally sufficient to give the criminal full 
access to the victim's account. In this paper, we present alter ... 
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18 Applications: YouServ: a web-hosting and content sharing tool for the masses 
Roberto J. Bayardo Jr., Rakesh Agrawal, Daniel Gruhl, Amit Soman! 
May 2002 Proceedings of the 11th international conference on World Wide Web 

Publisher: ACM Press 

Full text available- " fgl pdf(238 48 KB) Additional Information: full citation, abstract, references, citings, index 
' *^=^^ terms 

YouServ is a system that allows its users to pool existing desktop computing resources for 
high availability web hosting and file sharing. By exploiting standard web and internet 
protocols (e.g. HTTP and DNS), YouServ does not require those who access YouServ- 
published content to install special purpose software. Because it requires minimal server- 
side resources and administration, YouServ can be provided at a very low cost. We 
describe the design, implementation, and a successful intrane ... 

Keywords: decentralized systems, p2p, peer-to-peer networks, web hosting 



19 Intrusion detection and modeling: Augmenting storage with an intrusion response 
primitive to ensure the security of critical data 
Ashish GehanI, Surendar Chandra, Gershon Kedem 

March 2006 Proceedings of the 2006 ACM Symposium on Information, computer and 
communications security ASIACCS '06 

Publisher: ACM Press 

Full text available: pdff326.59 KB) Additional Infomiation: full citation , abstract , references 

Hosts connected to the Internet continue to suffer attacks with high frequency. The use of 
an intrusion detector allows potential threats to be flagged. When an alarm is raised, 
preventive action can be taken. A primary goal of such action is to assure the security of 
the data stored in the system. If this operation is effected manually, the delay between 
the alarm and the response may be enough for an intruder to cause significant 
damage.The alternative proposed in this paper is to provide a re ... 

Fine-grained control of security capabilities 
Dan Boneh, Xuhua Ding, Gene Tsudik 

February 2004 ACM Transactions on Internet Technology (TOIT), volume 4 issue i 
Publisher: ACM Press 

Full text available: g pdf(128.09 KB) Additional Infomiation: full citation , abstract , references , index terms 

We present a new approach for fine-grained control over users' security privileges (fast 
revocation of credentials) centered around the concept of an on-line semi-trusted 
mediator (SEM). The use of a SEM in conjunction with a simple threshold variant of the 
RSA cryptosystem (mediated RSA) offers a number of practical advantages over current 
revocation techniques. The benefits include simplified validation of digital signatures, 
efficient certificate revocation for legacy systems and fast revocat ... 

Keywords: Certificate Revocation, Digital Signatures, Public Key Infrastructure 
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